Add non-interactive vault pass install modes

2026-05-14 15:45:16 +08:00
parent ea1bb0979f
commit 1cd0bfb9f2
4 changed files with 119 additions and 24 deletions
--- a/scripts/install-vault-pass.sh
+++ b/scripts/install-vault-pass.sh
@@ -5,6 +5,12 @@ REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 DEST="${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}"
 ARCHIVE="${1:-$REPO_DIR/secrets/vault-pass.txt.zip}"
 VAULT_FILE="${VAULT_FILE:-$REPO_DIR/secrets/vault.yml}"
+# Optional non-interactive controls:
+#   INSTALL_VAULT_PASS_METHOD=create|manual|url|archive
+#   VAULT_PASS_CONTENT=<content>          (for method=manual)
+#   VAULT_PASS_URL=<https-url>            (for method=url)
+#   VAULT_PASS_ZIP_PASSWORD=<password>    (for method=archive; avoid chat/log)
+#   VAULT_PASS_ZIP_PASSWORD_FILE=<path>   (for method=archive; safer than env)

 usage() {
  cat <<USAGE
@@ -13,7 +19,7 @@ Usage: scripts/install-vault-pass.sh [archive.zip]
 Installs the Ansible Vault password file to:
  ${VAULT_PASS_FILE:-$HOME/.config/vault-pass.txt}

-Behavior:
+Interactive behavior:
  1. If the password file already exists, keep it and verify permissions.
  2. If missing, prompt the user to choose one of four setup methods:
     [1] Create a new vault password and initialize/re-encrypt vault.yml
@@ -21,6 +27,13 @@ Behavior:
     [3] Download vault-pass.txt from a user-provided URL
     [4] Extract vault-pass.txt from a password-protected zip archive

+Non-interactive agent mode:
+  INSTALL_VAULT_PASS_METHOD=create ./scripts/install-vault-pass.sh
+  VAULT_PASS_CONTENT='...' INSTALL_VAULT_PASS_METHOD=manual ./scripts/install-vault-pass.sh
+  VAULT_PASS_URL='https://...' INSTALL_VAULT_PASS_METHOD=url ./scripts/install-vault-pass.sh
+  VAULT_PASS_ZIP_PASSWORD_FILE=/secure/pass INSTALL_VAULT_PASS_METHOD=archive ./scripts/install-vault-pass.sh
+  VAULT_PASS_ZIP_PASSWORD='...' INSTALL_VAULT_PASS_METHOD=archive ./scripts/install-vault-pass.sh
+
 Default archive path for method [4]:
  $REPO_DIR/secrets/vault-pass.txt.zip
 USAGE
@@ -32,9 +45,7 @@ ensure_dest_dir() {
  chmod 700 "$(dirname "$DEST")" || true
 }

-secure_dest() {
-  chmod 600 "$DEST"
-}
+secure_dest() { chmod 600 "$DEST"; }

 verify_existing() {
  if [ -f "$DEST" ]; then
@@ -98,27 +109,35 @@ YAML

 manual_create() {
  ensure_dest_dir
-  cat <<MSG
+  if [ -n "${VAULT_PASS_CONTENT:-}" ]; then
+    umask 077
+    printf '%s\n' "$VAULT_PASS_CONTENT" > "$DEST"
+  else
+    cat <<MSG
 Paste/type the vault password content now, then press Enter.
 Input is hidden. The content will be written to:
  $DEST
 MSG
-  read -r -s pass
-  printf '\n'
-  if [ -z "$pass" ]; then
-    echo "Empty password is not allowed." >&2
-    exit 4
+    read -r -s pass
+    printf '\n'
+    if [ -z "$pass" ]; then
+      echo "Empty password is not allowed." >&2
+      exit 4
+    fi
+    umask 077
+    printf '%s\n' "$pass" > "$DEST"
  fi
-  umask 077
-  printf '%s\n' "$pass" > "$DEST"
  secure_dest
  echo "Installed manually provided vault password file: $DEST"
 }

 download_from_url() {
  ensure_dest_dir
-  printf 'Enter vault-pass.txt URL: '
-  read -r url
+  url="${VAULT_PASS_URL:-}"
+  if [ -z "$url" ]; then
+    printf 'Enter vault-pass.txt URL: '
+    read -r url
+  fi
  if [ -z "$url" ]; then
    echo "URL is required." >&2
    exit 4
@@ -161,8 +180,19 @@ ERR
  cleanup() { rm -rf "$tmpdir"; }
  trap cleanup EXIT

-  # unzip will prompt for the archive password interactively.
-  unzip -q "$ARCHIVE" -d "$tmpdir"
+  if [ -n "${VAULT_PASS_ZIP_PASSWORD_FILE:-}" ]; then
+    if [ ! -f "$VAULT_PASS_ZIP_PASSWORD_FILE" ]; then
+      echo "Missing VAULT_PASS_ZIP_PASSWORD_FILE: $VAULT_PASS_ZIP_PASSWORD_FILE" >&2
+      exit 4
+    fi
+    zip_pass="$(cat "$VAULT_PASS_ZIP_PASSWORD_FILE")"
+    unzip -P "$zip_pass" -q "$ARCHIVE" -d "$tmpdir"
+  elif [ -n "${VAULT_PASS_ZIP_PASSWORD:-}" ]; then
+    unzip -P "$VAULT_PASS_ZIP_PASSWORD" -q "$ARCHIVE" -d "$tmpdir"
+  else
+    # unzip will prompt for the archive password interactively.
+    unzip -q "$ARCHIVE" -d "$tmpdir"
+  fi

  src="$tmpdir/vault-pass.txt"
  if [ ! -f "$src" ]; then
@@ -185,6 +215,16 @@ verify_vault_readable_if_possible() {
  fi
 }

+run_method() {
+  case "$1" in
+    create|1) create_new_password ;;
+    manual|2) manual_create ;;
+    url|3) download_from_url ;;
+    archive|4) extract_from_archive ;;
+    *) echo "Invalid setup method: $1" >&2; exit 4 ;;
+  esac
+}
+
 if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
  usage
  exit 0
@@ -195,6 +235,12 @@ if verify_existing; then
  exit 0
 fi

+if [ -n "${INSTALL_VAULT_PASS_METHOD:-}" ]; then
+  run_method "$INSTALL_VAULT_PASS_METHOD"
+  verify_vault_readable_if_possible || true
+  exit 0
+fi
+
 cat <<MENU
 Vault password file does not exist:
  $DEST
@@ -208,12 +254,5 @@ MENU
 printf 'Enter choice [1-4]: '
 read -r choice

-case "$choice" in
-  1) create_new_password ;;
-  2) manual_create ;;
-  3) download_from_url ;;
-  4) extract_from_archive ;;
-  *) echo "Invalid choice: $choice" >&2; exit 4 ;;
-esac
-
+run_method "$choice"
 verify_vault_readable_if_possible || true